The Microsoft Defender XDR Alerts Input retrieves comprehensive security alerts from Microsoft's unified Extended Detection and Response (XDR) platform.
Sync Type: Incremental
Overview
This input connects to the Microsoft Graph Security API to fetch alerts generated by multiple integrated security services within the Microsoft Defender XDR suite.
Supported Security Services
The input retrieves alerts from the following Microsoft Defender services:
Microsoft Defender for Endpoint - Endpoint detection and response alerts from workstations, servers, and mobile devicesMicrosoft Defender for Cloud - Cloud security posture management and threat protection alerts from Azure, AWS, and GCP resourcesMicrosoft Defender for Identity - Identity-based threats and suspicious activities targeting Active Directory environmentsMicrosoft Defender for Office 365 - Email and collaboration threats including phishing, malware, and safe attachments/linksMicrosoft Defender for Cloud Apps - Cloud application security alerts and anomalous user behavior detection
Prerequisites
Have a Microsoft Account with an active Azure Subscription.
Register a new Application in App Registrations in Azure Entra ID portal.
Make sure this new application has the following permissions -
Microsoft Graph -
SecurityAlert.Read.All
SecurityAlert.ReadWrite.All
SecurityIncident.Read.All
SecurityIncident.ReadWrite.All
Minimum role assignment: Reader role on the subscription or resource group scope.
Setting up a new application for API Access
Registering a new application
Open the App Registration page in the Azure Entra ID portal.
Select New Registration.
Add a name to the new registration.
Click Register.
Save the applications Application (client) ID and Directory (tenant) ID.
Select Certificates and Secrets.
Click link next to Client credentials.
In "Client secrets" click "New client secret".
Add a name and expiration to the new secret.
Save the client secret value.
Give application access to Microsoft Graph API
Click "API Permissions" on left sidebar.
Click "Add Permission".
Select "Microsoft Graph API".
Select permissions SecurityAlert.Read.All, SecurityAlert.ReadWrite.All, SecurityIncident.Read.All, SecurityIncident.ReadWrite.All
On the API permission page, click on "Grant admin consent for Default Directory".
Grant access to your User
Navigate to Subscriptions.
Select the active Subscription.
Click "Access control (IAM)" on the left menu.
Select "Add Role Assignment" from the "+ Add" menu.
Select the Reader role and click Next.
Click "Select members".
Search for the new application name and click Select.
Click "Review + assign".
Confirm by clicking "Review + assign".
Configuration
Settings
Setting Type Required Description Tenant ID string true The tenant ID of the Azure AD application Interval number true The number of seconds between runs of this connector Backfill Start Time string No The date to start fetching data from. If not specified, no past records will be fetched.
Secrets
Setting Type Required Description Client ID string true The client ID of the Azure AD application Client Secret string true The client secret of the Azure AD application
Related Articles
Sample Record
{ "id" : "ff64d55e-2da9-4053-7a11-40fc2863aee2" , "providerAlertId" : "224cd8a2-470a-bccb-6bbb-607b247d4c28" , "incidentId" : "1" , "status" : "new" , "severity" : "medium" , "classification" : null , "determination" : null , "serviceSource" : "Tom Williams" , "detectionSource" : "John Johnson" , "productName" : "Tom Brown" , "detectorId" : "c6b5078c-1e3e-e867-5d32-6672145afced" , "tenantId" : "36ec37a2-a108-3fcc-e1e5-33e9b9aff7d2" , "title" : "John Brown" , "description" : "John Smith" , "recommendedActions" : "actions" , "category" : "John Miller" , "assignedTo" : null , "alertWebUrl" : "https://security.microsoft.com/alerts/d43edd62-48a2-21b7-c597-5be3bfdc6901?tid=fb2687d5-c0a5-6b01-e097-44b3b82881d0" , "incidentWebUrl" : "https://security.microsoft.com/incident2/0/overview?tid=a21fc2b9-c6d1-b8dc-2e9a-fb335acbb74f" , "actorDisplayName" : null , "threatDisplayName" : null , "threatFamilyName" : null , "mitreTechniques" : [ "T1059.001" ], "createdDateTime" : "2025-08-11T23:46:41Z" , "lastUpdateDateTime" : "2025-08-11T23:46:41Z" , "resolvedDateTime" : null , "firstActivityDateTime" : "2025-08-11T23:46:41Z" , "lastActivityDateTime" : "2025-08-11T23:46:41Z" , "systemTags" : [], "alertPolicyId" : null , "comments" : [], "customDetails" : {}, "evidence" : [ { "@odata.type" : "Jane Williams" , "createdDateTime" : "2025-08-11T23:46:41Z" , "verdict" : "suspicious" , "remediationStatus" : "active" , "remediationStatusDetails" : null , "roles" : [], "detailedRoles" : [ "PrimaryDevice" ], "tags" : [], "firstSeenDateTime" : "2025-08-11T23:46:41Z" , "mdeDeviceId" : "6acf0a18-18b0-2e80-b3d2-faf3ed4627f0" , "azureAdDeviceId" : null , "deviceDnsName" : "Tom Jones" , "hostName" : "Tom Brown" , "ntDomain" : null , "dnsDomain" : null , "osPlatform" : "WindowsServer2022" , "osBuild" : "00000" , "version" : "1.0" , "healthStatus" : "active" , "riskScore" : "medium" , "rbacGroupId" : 0 , "rbacGroupName" : null , "onboardingStatus" : "onboarded" , "defenderAvStatus" : "unknown" , "lastIpAddress" : "0.0.0.0" , "lastExternalIpAddress" : "0.0.0.0" , "ipInterfaces" : [ "0.0.0.0" , "0.0.0.0" , "0.0.0.0" , "::1" ], "vmMetadata" : null , "loggedOnUsers" : [] }, { "@odata.type" : "Peter Miller" , "createdDateTime" : "2025-08-11T23:46:41Z" , "verdict" : "suspicious" , "remediationStatus" : "active" , "remediationStatusDetails" : null , "roles" : [], "detailedRoles" : [], "tags" : [], "stream" : null , "userAccount" : { "accountName" : "Jane Smith" , "domainName" : "Sarah Johnson" , "userSid" : "e2e027ee-7b0b-1c93-62bc-c8568a643ae9" , "azureAdUserId" : null , "userPrincipalName" : null , "displayName" : null } }, { "@odata.type" : "Tom Johnson" , "createdDateTime" : "2025-08-11T23:46:41Z" , "verdict" : "suspicious" , "remediationStatus" : "active" , "remediationStatusDetails" : null , "roles" : [], "detailedRoles" : [], "tags" : [], "url" : "http://127.0.0.1" }, { "@odata.type" : "Alice Jones" , "createdDateTime" : "2025-08-11T23:46:41Z" , "verdict" : "suspicious" , "remediationStatus" : "active" , "remediationStatusDetails" : null , "roles" : [], "detailedRoles" : [], "tags" : [], "ipAddress" : "127.0.0.1" , "countryLetterCode" : null , "stream" : null , "location" : null }, { "@odata.type" : "Alice Jones" , "createdDateTime" : "2025-08-11T23:46:41Z" , "verdict" : "suspicious" , "remediationStatus" : "active" , "remediationStatusDetails" : null , "roles" : [], "detailedRoles" : [], "tags" : [], "processId" : 0 , "parentProcessId" : 0 , "processCommandLine" : "powershell.exe" , "processCreationDateTime" : "2025-08-11T23:46:41Z" , "parentProcessCreationDateTime" : "2025-08-11T23:46:41Z" , "detectionStatus" : "detected" , "mdeDeviceId" : "ef7957d9-d20b-870c-9866-dc7d65eb9c56" , "imageFile" : { "sha1" : "571dec95-2d94-96da-8f51-3937f7021204" , "sha256" : "2b529e8a-85c6-52ca-a01d-8681f8b33e68" , "md5" : null , "sha256Ac" : null , "fileName" : "powershell.exe" , "filePath" : "C: \\ Windows \\ " , "fileSize" : 450 , "filePublisher" : "Microsoft Corporation" , "signer" : null , "issuer" : null }, "parentProcessImageFile" : { "sha1" : null , "sha256" : null , "md5" : null , "sha256Ac" : null , "fileName" : "cmd.exe" , "filePath" : "C: \\ Windows \\ " , "fileSize" : 33 , "filePublisher" : "Microsoft Corporation" , "signer" : null , "issuer" : null }, "userAccount" : { "accountName" : "Jane Brown" , "domainName" : "Sarah Smith" , "userSid" : "4d0ccf4d-5491-fc2a-43dd-4f7dac72bec3" , "azureAdUserId" : null , "userPrincipalName" : null , "displayName" : null } } ], "additionalData" : {} }
Last modified on May 19, 2026
